Updated – Hackout: Philips Smart Lightbulbs Go Dark In Remote Attack

Add lightbulbs to the list of everyday technology that is 1) Internet connected and 2) vulnerable to crippling remote attacks.*

Writing on Tuesday, security researcher Nitesh Dhanjani disclosed a proof of concept hack against HUE lightbulbs, a brand of wi-fi enabled bulbs manufactured by the firm Philips. The vulnerability discovered by Dhanjani allows a remote attacker to use her mobile device to control HUE.

A security researcher found that HUE Smart Control lightbulbs by Philips are vulnerable to remote attacks. (Photo courtesy of Philips.)

HUE wi-fi enabled bulbs are sold at Apple stores and allow users to control the function and color of the bulbs using iPhone and Android mobile apps. Dhanjani published his findings in a paper, “Hacking Lightbulbs,” which calls the HUE system of bulbs and a wireless bridge “wonderfully innovative,” but also prone to hacking.

The most serious flaw discovered would allow a remote attacker to impersonate a white-listed (or “allowed”) mobile device, sending commands to HUE bulbs that could cause them to turn off or manipulate the bulb’s color. In a detailed report (PDF), Dhanjani said he discovered that the wireless bridge that relays commands to the deployed HUE bulbs relies on a list of allowed “tokens” to validate the HTTP-format requests from authorized administrators. However, in the case of the iOS app that is used with HUE devices, those tokens are merely an MD5 hash of the whitelisted mobile device’s Machine Access Code (or MAC) – a publicly broadcast and easily retrievable bit of identifying information.

“Malware on the internal network (that) can capture the MAC address active on the wire (using the ARP5 cache of the infected machine)…can cycle through each hash and issue ‘all lights off’ instructions,” Dhanjani wrote.

And, Philips hasn’t provided a way to de-list a token, meaning that attackers who managed to derive a valid token from a device MAC address couldn’t be denied access.

Other vulnerabilities were more commonplace. The web-based administrative application for HUE doesn’t enforce strong passwords, and (like most other web-based services) might be compromised in cases where administers reuse passwords between social media accounts. On the more exotic side: Dhanjani found a way to mess with a HUE feature that uses the IFTTT platform to let users set the color of a HUE bulb to the hues of a Facebook photo they were tagged in. (Don’t ask me.) By uploading a blank picture and tagging a HUE administrator in it, such a feature would turn the bulbs black. (Huh?!)

According to Dhanjani, efforts to report the security holes to the HUE team at Philips were a dead-end. The company hasn’t provided a means to report security issues, and Twitter messages back and forth didn’t bear fruit. The company didn’t immediately respond to a request for comment from The Security Ledger.

In an email message, Philips spokeswoman Silvie Casanova said that the company “used industry standard encryption and authentication techniques to ensure that unauthorized persons cannot gain access to the lighting system.” An attack like that described by Dhanjani requires an attacker to have first compromised the home network on which the HUE bulbs are deployed. “Our advice to customers has been that they take steps to ensure they are secured from malicious attacks at a network level, in order to protect all of their devices, including HUE,” she said. In the even of an network breach, disconnecting the wireless bridge turns a HUE bulb back into a “normal LED bulb that is controlled by a light switch.”

Though none of the hacks would be destructive, they could be disruptive, Dhanjani notes. They are also more evidence that manufacturers are giving short shrift to security as they move aggressively to bring IP-enabled home devices to market.

“It is important that Philips and other consumer IoT organizations take issues like these seriously. In the age of malware and powerful botnets, it is vital that people’s homes be secure from vulnerabilities like these that can cause physical consequences,” Dhanjani wrote.

Dhanjani said that, as more IP-enabled consumer devices make it into the home malicious software including worms, viruses and botnets will look to capitalize on easy to exploit vulnerabilities to take over the devices, using them to launch further attacks or to menace home owners.